test(shim): skip privileged tests without required permissions#477
Open
immanuwell wants to merge 1 commit into
Open
test(shim): skip privileged tests without required permissions#477immanuwell wants to merge 1 commit into
immanuwell wants to merge 1 commit into
Conversation
immanuwell
force-pushed
the
test/shim-skip-privileged-tests
branch
from
e4b7e98 to
fa104de
Compare
There was a problem hiding this comment.
Pull request overview
This PR aims to make containerd-shim’s Linux privileged unit tests stop failing on non-root hosts due to environmental permission constraints (cgroup writes, overlay mounts, loop device setup), by detecting permission-related failures and exiting tests early while keeping the tests strict when privileges are available.
Changes:
- Added a test-only helper to classify “permission denied / not permitted” errors.
- Updated overlay mount + recursive unmount and loop device setup tests to skip when the host lacks required permissions.
- Updated the cgroup test to skip when cgroup creation/task addition fails due to missing permissions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
crates/shim/src/mount_linux.rs |
Skip privileged mount/loop tests when permission errors occur, otherwise assert strictly. |
crates/shim/src/error.rs |
Introduces a test-only helper for recognizing permission-related errors. |
crates/shim/src/cgroup.rs |
Makes cgroup test skip early when cgroup operations fail due to permission constraints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+96
to
+100
| #[cfg(unix)] | ||
| Error::Nix(err) | Error::MountError { err, .. } => { | ||
| matches!(err, nix::errno::Errno::EACCES | nix::errno::Errno::EPERM) | ||
| } | ||
| Error::Other(msg) => { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
normal
cargo test -p containerd-shim --libcan fail on a non-root linux box, even when nothing is wrong with the code.this keeps the privileged tests strict, but bails out early when the host just does not allow cgroup writes, overlay mounts, or loop device setup. so local runs stop tripping over env stuff, neat and simple.
repro:
cargo +stable test -p containerd-shim --libcargo +stable test -p containerd-shim --lib --features asyncPermission deniedfromtest_add_cgrouportest_setup_loop_dev, and overlay mount can fail toochecks:
cargo +stable check -p containerd-shim --all-targetscargo +stable test -p containerd-shim --libcargo +stable test -p containerd-shim --lib --features asynccargo +stable test -p runc --lib